You are here

2. Privacy Regulation in Australia

State and territory regulation of privacy

2.10 Each Australian state and territory regulates the management of personal
information. In some states and territories, personal information is regulated
by legislative schemes, in others by administrative regimes.

2.11 Section
3 of the Privacy Act states:

It is the intention of the
Parliament that this Act is not to affect the operation of a law of a State or
of a Territory that makes provision with respect to the collection, holding,
use, correction, disclosure or transfer of personal information (including such
a law relating to credit reporting or the use of information held in connection
with credit reporting) and is capable of operating concurrently with this Act.

2.12 The
provision makes clear that the Australian Parliament did not intend to ‘cover
the field’ and to override state and territory laws relating to the protection
of personal information if such laws are capable of operating alongside the Privacy
Act. Section 3 of the Privacy Act is discussed in
Chapter 3.

2.13 New
South Wales (NSW), Victoria and the ACT all have legislation that regulates the
handling of personal health information in the private sector. This means that
health service providers and others in the private sector in those
jurisdictions are required to comply with both federal and state or territory
legislation in relation to personal health information. Part H of this
Report discusses the issues and problems inherent in this situation. Methods
for dealing with these issues are outlined in Chapter 3.

New South Wales

Privacy and Personal Information Protection Act 1998 (NSW)

2.14 NSW
was the first state to enact public sector privacy laws. The Privacy and Personal Information Protection Act 1998
(NSW) contains a set of privacy standards called Information Protection
Principles that regulate the way NSW public sector agencies handle personal
information (excluding health information).[16]

2.15 A
number of the Information Protection Principles are similar to the IPPs in the Privacy
Act, but they are not identical.[17]
There are four major sources of exemptions to the Privacy and Personal
Information Protection Act: in the Act;[18]
in regulations;[19]
in a privacy code of practice, made by the Attorney General;[20]
and in a public interest direction made by the NSW Privacy Commissioner.[21]

2.16 The
Act provides for the development of privacy codes of practice. A privacy code
may modify the application to any public sector agency of one or more of the
Information Protection Principles[22]
and may exempt a public sector agency or class of public sector agency from the
requirement to comply with any of the Information Protection Principles.[23]
The Act also provides for privacy management plans.[24]

2.17 The
Act establishes the Office of the NSW Privacy Commissioner (Privacy NSW). The
NSW Privacy Commissioner has a number of functions, including a
complaint-handling function. The NSW Privacy Commissioner must endeavour to
resolve complaints by conciliation[25]
and may also make written reports on any findings or recommendations made in
relation to a complaint.[26]

2.18 Under
the existing privacy regime in NSW, there are two avenues of complaint
available to individuals who believe that their privacy has been infringed. The
individual may make a complaint directly to Privacy NSW.[27]
Alternatively, those who believe that their privacy has been interfered with by
a NSW public sector agency can submit a complaint directly to the agency and
request that the agency conduct an internal review of the behaviour that led to
the complaint. Privacy NSW is responsible for the oversight of internal
reviews.[28]
If an individual is not satisfied with the finding of the review or the action
taken by the agency in relation to the application, the individual may apply to
the NSW Administrative Decisions Tribunal for a review of the conduct.[29]

2.19 In
2005–06, 81 complaints were made directly to Privacy NSW.[30]
The majority of those complaints were against state government agencies. A
significant proportion, however, were also against private organisations and
local governments.[31]
The most common complaints received by Privacy NSW were about disclosure of
information, surveillance and physical privacy, and collection of information.[32]
NSW public sector agencies handled 100 complaints as internal reviews, which were
then overseen by Privacy NSW.[33]

Health Records and Information Privacy Act 2002 (NSW)

2.20 The
Health Records and Information Privacy Act 2002 (NSW) implements a
privacy regime for health information held in the NSW public sector and the
private sector (except small businesses as defined in the Privacy Act).[34]
The Act allows for individuals to obtain access to health information and
establishes a framework for the resolution of complaints regarding the handling
of health information.[35]

2.21 The
Act contains 15 Health Privacy Principles (HPPs) that outline how health
information must be collected, stored, used and disclosed. The HPPs can be
grouped into seven areas: collection; storage; access and accuracy; use;
disclosure; identifiers and anonymity; and transferrals and linkage.[36]
The Act provides for a number of exemptions from these principles. For example,
the Act does not apply to the Independent Commission Against Corruption (ICAC),
except in connection with the exercise of its administrative and educative
functions.[37]
Further, the HPPs themselves include exemptions,[38]
some of which are the subject of statutory guidelines.[39]

2.22 The
Health Records and Information Privacy Act provides two avenues of
complaint for individuals. Parts 3 and 6 of the Act allow individuals to make
complaints directly to the NSW Privacy Commissioner,[40]
or direct their complaints to the NSW public sector agency for internal review
of the conduct that lead to the complaint.[41]
In 2005–06, Privacy NSW received 28 complaints relating to health records.[42]
NSW public sector agencies handled 20 complaints concerning health records
as internal reviews, which were then overseen by Privacy NSW.[43]

Other legislation

2.23 The
Workplace Surveillance Act 2005 (NSW) prohibits covert surveillance
of employees in the workplace without appropriate notice. Three categories of
surveillance are covered: camera surveillance; surveillance of an employee’s
use of a work computer; and surveillance of the location or movements of an
employee.[44]

2.24 The
Surveillance Devices Act 2007 (NSW) was recently enacted to regulate the
installation, use, maintenance and retrieval of surveillance devices; restrict
the use, publication and communication of information obtained through the use
of surveillance devices; and establish procedures for law enforcement officers
to obtain warrants or emergency authorisations for the installation, use,
maintenance and retrieval of surveillance devices. The Act repeals the Listening
Devices Act 1984 (NSW).[45]

Victoria

Information Privacy Act 2000 (Vic)

2.25 The
Information Privacy Act 2000 (Vic) came into force on 1 September
2002. The Act covers the handling of personal information (except health
information) in the state public sector in Victoria, and by other bodies that
are declared to be ‘organisations’ for the purposes of Act.[46]
Organisations performing work for the Victorian government may also be subject
to the Act, depending on the particular contract.[47]

2.26 The
Act requires public sector agencies to comply with 10 Information Privacy
Principles or have an approved code of practice.[48]
The Information Privacy Principles are similar to the NPPs in the Privacy
Act.[49]
The Act contains a number of exemptions, including in relation to courts and
tribunal proceedings, publicly available information and law enforcement.[50]

2.27 The
Act establishes the Office of the Victorian Privacy Commissioner (OVPC). The
Victorian Privacy Commissioner’s functions include the receipt of complaints
about an act or practice that may contravene an Information Privacy Principle
or that may interfere with the privacy of an individual.[51]
The complaint-handling procedure includes a conciliation process and
conciliation agreement. The Victorian Privacy Commissioner also has the power
to issue compliance notices in order to enforce the Information Privacy Principles.[52]
Unlike the federal Privacy Commissioner or the Victorian Health Services
Commissioner, the Victorian Privacy Commissioner has no power to decide that a
breach of privacy has occurred.

2.28 The OVPC received 54 new complaints in 2006–07.[53]
The most common complaints were against state government departments (18
complaints), local councils (11 complaints), law enforcement bodies (nine
complaints) and against statutory authorities (seven complaints). Complaints
related to use and disclosure, data security and the collection of information.[54]

Health Records Act 2001 (Vic)

2.29 The
Health Records Act 2001 (Vic) covers the handling of all health
information held by health service providers in the state public sector[55]
and the private health sector.[56]
The Act contains 11 Health Privacy Principles adapted from the NPPs in the Privacy
Act.[57]
The Act contains a few exemptions to these principles, including for: dealing
with health information for personal, family or household affairs; publicly
available health information; and the news media.[58]

2.30 The
Act is administered by the Office
of the Health Services Commissioner, which may receive complaints about an
act or practice that may be an interference with the privacy of the
complainant.[59]
The Commissioner can deal with a complaint in a number of ways, including by
conducting an investigation, by conciliation, a hearing, issuing a compliance
notice, or referring a complaint to the Victorian Civil and Administrative
Appeals Tribunal.[60]
In 2006–07, the Office of the Health Services Commissioner accepted 89
complaints that related to the Health Records Act.

2.31 The
Health Services Commissioner has the power to issue or approve guidelines.
These guidelines may lessen the level of privacy protection afforded by a
relevant Health Privacy Principle.[61]

Workplace privacy

2.32 In
October 2005, the Victorian Law Reform Commission (VLRC) released Workplace
Privacy—Final Report (2005).[62]
The VLRC concluded that significant legislative gaps in the protection of
privacy in workplaces required regulation at the state level, and recommended
the enactment of workplace privacy legislation and the establishment of a
workplace privacy regulator.[63]

2.33 The
Victorian Parliament has enacted the Surveillance Devices (Workplace Privacy) Act 2006
(Vic).[64]
The Act implements the recommendation of the VLRC report that acts or practices
of employers which involve installation, use or maintenance of surveillance
devices in relation to their workers should be regulated.[65]
The Act amends the Surveillance Devices Act 1999 (Vic) to make it an
offence for an employer knowingly to install, use or maintain an optical
surveillance device or listening device to observe, listen to, record or
monitor the activities or conversations of a worker in workplace toilets,
washrooms, change rooms or lactation rooms.[66]
There are some limited exceptions to this general prohibition.[67]

2.34 In March 2008, the Standing Committee of Attorneys-General (SCAG)
considered options for reform in the area of workplace privacy. SCAG agreed that
a minimum model for nationally consistent workplace privacy regulation should
be developed. In SCAG’s view, such a model should be supported by legislation,
and include a combination of measures such as mandatory and voluntary codes of
practice. If a jurisdiction imposes a stricter standard than the minimum model,
then the stricter standard should continue to apply in that jurisdiction.[68]

Charter of Human Rights and Responsibilities Act 2006 (Vic)

2.35 The
Charter of Human Rights and Responsibilities Act 2006 (Vic) introduced a
Charter of Human Rights and Responsibilities for the protection and promotion
of human rights in Victoria.[69]
Part 2 of the Act sets out a number of human rights including the right of
a person not to have unlawful or arbitrary interference with his or her
privacy, family, home or correspondence. The Act requires statutory provisions
to be interpreted in a way that is compatible with the human rights set out
under Part 2 of the Act. It will also require public authorities to act in
a way that is compatible with those human rights. The Act is administered by
the Victorian Equal Opportunity and Human Rights Commission.

Queensland

2.36 In
1997, the Legal, Constitutional and Administrative Committee of the Queensland
Legislative Assembly recommended the enactment of a privacy regime for Queensland based on a set of information privacy principles and the establishment of a
Privacy Commissioner.[70]
While this recommendation has not been implemented, an administrative scheme
was established in 2001, based on the IPPs and the NPPs in the Privacy Act.
Details of the scheme are provided in Information Standards issued by the
Department of Innovation and Information Economy under the Financial
Management Standard 1997 (Qld).[71]

Information Standard 42

2.37 Information
Standard 42—Information Privacy (IS 42) requires the Queensland state
public sector to manage personal information in accordance with a set of
Information Privacy Principles adapted from the IPPs in the Privacy Act.
IS 42 applies to all accountable officers and statutory bodies as defined
in the Financial Administration and Audit Act 1977 (Qld) (including
government departments). It also applies to most statutory government-owned
corporations.[72]

2.38 The
requirement for agencies to comply with IS 42 is administratively based.
This means that, where conflicting legislative requirements exist, these will
prevail. In addition, compliance is subject to any existing outsourcing
arrangements, contracts and licenses.[73]
IS 42 provides for two types of exemptions, one concerning exempt bodies;
the other relating to personal information.[74]

2.39 IS 42
contains a number of requirements, including that departments and agencies
nominate a privacy contact officer; and that they develop, publish and
implement privacy plans to give effect to the Information Privacy Principles.[75]
IS 42 provides that agencies may develop codes of practice that modify the
application of the Information Privacy Principles.[76]
A set of guidelines has been developed to assist agencies to comply with their
obligations in this regard.[77]

2.40 The
Queensland Government Department of Justice and Attorney-General is responsible
for the administration of privacy in Queensland under IS 42, which
includes initiating whole of government privacy initiatives, providing policy
advice and dispensing best practice advisory services to Queensland Government
agencies and the community.

Health information

Queensland Health Quality and Complaints Commission Act 1992 (Qld)

2.41 In
2006, the Health Rights Commission Act 1992 (Qld) was repealed by the Health Quality and Complaints
Commission Act 2006 (Qld). The new Act replaces the Health Rights
Commission with the Health Quality and Complaints Commission (HQCC). The HQCC
is responsible for the oversight of public and private health service delivery
in Queensland, and for addressing complaints associated with health service
delivery in Queensland. Although there is no specific provision for privacy
complaints under the Health Quality and Complaints Commission Act, the HQCC
reported that in 2006–07 it received 111 complaints related to
‘privacy/discrimination’ out of a total of 2,832 complaints.[78]

2.42 Chapter 4
of the Health Quality and Complaints Commission Act requires the HQCC to
develop a Code of Health Rights and Responsibilities.[79]
In developing the content of the Code, the Commission must have regard to a
number of principles, including that the confidentiality of information about
an individual’s health should be preserved; an individual is entitled to
reasonable access to records about the individual’s health; and an individual
is entitled to reasonable access to procedures for the redress of grievances
relating to the provision of health services.[80]

2.43 The
HQCC has released a Draft Code of Health Rights and Responsibilities
(Draft Code) for consultation.[81]
The Draft Codeis intended to apply to all health service providers,
health service users and their carers throughout the public and private sectors
in Queensland.[82]

2.44 The
Draft Code contains seven statements of health rights. Statement 6 outlines
that: ‘You have a right to access your personal health information,
confidentiality and accurate record keeping’. This statement is broken down
into four entitlements of health service users: service provision in a
confidential environment; accurate and objective recording of health
information; confidential keeping of health information and records; and access
to personal information. Each
entitlement sets out the responsibilities of providers and users.[83]

Health Services Act 1991 (Qld)

2.45 Part 7 of the Health Services Act 1991 (Qld)
provides that it is an offence for a designated person or former designated
person to disclose confidential information that identifies a person who is
receiving, or has received, a public sector health service.[84] The provision is subject to a number of exceptions, for example:
with consent; where required or permitted by law; to assist in averting a
serious risk to life, health or safety, or public safety.[85]

Information Standard 42A

2.46 Information
Standard 42A—Information Privacy for the QueenslandDepartment of Health
(IS 42A) applies only to that Department and requires health information
and personal information to be managed in accordance with National Privacy
Principles adapted from the NPPs contained in the Privacy Act.[86]
A number of principles have been deleted as they do not apply to the Queensland
Department of Health or are dealt with under other schemes. For example,
NPP 6 has been deleted as rights of access and correction are provided for
in the Freedom of Information Act 1992 (Qld).

2.47 IS 42A
is similar to IS 42: it contains the same mandatory requirements; similar
exemptions; and provides for the development of codes of practice. A set of
guidelines has been developed to assist the Department to comply with its
obligations under IS 42A.[87]

Other legislation

2.48 The Invasion of Privacy Act 1971 (Qld) requires the licensing and
control of credit reporting agents and regulates the use of listening devices.

Western Australia

2.49 The
state public sector in Western Australia does not currently have a legislative
privacy regime, although some privacy principles are provided for in the Freedom
of Information Act 1992 (WA). This Act provides for access to documents and
the amendment of ‘personal information’ in a document held by an agency that is
inaccurate, incomplete, out-of-date or misleading. The definition of ‘personal
information’ is similar to the definition under the Privacy Act except
that it also includes information about an individual who can be identified by
reference to an identification number or other identifying particular such as a
fingerprint, retina print or body sample.[88]

2.50 Part 4
of the Freedom of Information Act 1992 (WA) establishes the Information
Commissioner, whose main function is to deal with complaints about decisions
made by agencies in respect of access applications and applications for
amendment of personal information.[89]
The Office of the Information
Commissioner received 145 complaints in 2006–07, of which 113 were for
external review of a decision under the Freedom of Information Act 1992
(WA). External review complaints include complaints relating to applications
for access to documents and the amendment of personal information under the
Act.[90]

2.51 The
State Records Act 2000 (WA) affords some limited protection of privacy.
For example, no access is permitted to medical information about a person
unless the person consents, or the information is in a form that neither
discloses nor would allow the identity of the person to be ascertained.[91]
Neither the State Records Act nor the Freedom of Information Act 1992
(WA), however, deal comprehensively with privacy issues associated with the collection,
storage and use of personal information by agencies.

Information Privacy Bill 2007

2.52 The
Information Privacy Bill 2007 (WA) was introduced into the Western Australian
Parliament on 28 March 2007. The Bill proposes to regulate the handling of
personal information in the state public sector and the handling of health
information by the public and private sectors in Western Australia.[92]
In April 2008, the Bill had been read for a second time in the Legislative
Council.

2.53 The
Bill requires most state public sector agencies, and contractors to public
sector agencies, to comply with a set of eight Information Privacy Principles.
The Information Privacy Principles draw heavily on the NPPs contained in the Privacy
Act and on the Information Privacy Principles in the Information Privacy
Act 2000 (Vic).[93]

2.54 The
Bill also requires most public sector agencies, private sector health service
providers, and persons or bodies in the private sector who handle health
information about individuals, to comply with a set of 10 Health Privacy
Principles. The Health Privacy Principles are adapted from, and are consistent
with, the Draft National Health Privacy Code.[94]
They are broadly similar to the general requirements of the NPPs in the Privacy
Act, but are specifically tailored to the privacy of health information.[95]
Under Part 3 Division 2 of the Bill, individuals will be given access
to records held by private sector organisations and increased ability to amend
their records. This is similar to the power under the Freedom of Information
Act 1992 (WA).

2.55 The
Bill contains a number of exemptions, including for courts and tribunals[96]
and publicly available information.[97]
Some law enforcement agencies and child protection agencies do not have to
comply with certain Information Privacy Principles and Health Privacy
Principles.[98]
The Bill also provides for codes of practice that can derogate from the
Information Privacy Principles and the Health Privacy Principles.[99]

2.56 Part 6 of the Bill overrides prohibitions on the disclosure of
personal and health information by public sector agencies, whether those
prohibitions result from other statutes, the common law, or ethical or
professional obligations, provided the disclosure meets certain criteria. These
criteria include, for example, that the disclosure is for the purpose for which
the information was collected, or that the disclosure falls within certain
specified exceptions to the Information Privacy Principle or Health Privacy Principle
relating to use and disclosure.

2.57 The
Bill would establish the Privacy and Information Commissioner, who will replace
and expand the role of the current Information Commissioner. The Commissioner’s
functions and powers would include: monitoring and promoting compliance with
the Information Privacy Principles and the Health Privacy Principles, reporting
to the minister responsible for administering the legislation, and resolving
complaints.[100]
The complaint-handling process includes the use of conciliation proceedings.[101]
Complaints that are not resolved through conciliation may be resolved by the
State Administrative Tribunal.[102]

South Australia

Cabinet administrative instruction

2.58 There
is no legislation that specifically addresses privacy in South Australia.[103]
The South Australian Department of the Premier and Cabinet, however, has issued
an administrative instruction requiring its government agencies to comply with
a set of Information Privacy Principles based on the IPPs in the Privacy Act.
PC012—Information Privacy Principles Instruction was first issued in
July 1989 and then reissued in July 1992.[104]

2.59 The
Privacy Committee of South Australia was first established in 1989. In 2001,
the Committee was appointed to oversee the implementation of the Information
Privacy Principles in the South Australian public sector and to provide advice
on privacy issues. The Committee oversees the privacy regime and performs a
complaint-handling role. The Committee’s functions include the referral of
written complaints concerning violations of individual privacy received by it
to an appropriate authority.[105]
The Committee must prepare a report of its activities annually and submit the
report to the minister (currently the Minister for Finance). Members of the
public who are unsatisfied with the Privacy Committee’s response to their
complaint are referred to the South Australian Ombudsman for further
investigation.[106]
The Committee is also able to exempt a person or body from one or more of the
Information Privacy Principles on such conditions as the Committee thinks fit.[107]

2.60 The
ALRC has been informed that State Records of South Australia (State Records),
in supporting the Privacy Committee of South Australia, is developing a
guideline for matching and sharing personal information. State Records is also
examining other opportunities for guidelines and proposed amendments to the
Instruction that might improve the protection of privacy within the South
Australian public sector. Other projects include the development of a standard
under the State Records Act 1997 (SA) relating to contracting out and
the handling of personal information.[108]

Code of Fair Information Practice

2.61 South Australia also has a Code of Fair Information Practice based on the NPPs in
the Privacy Act.[109]
The Code applies to the South Australian Department of Health and the
Department for Families and Communities.[110]

Tasmania

Personal Information Protection Act 2004 (Tas)

2.62 The
Personal Information Protection Act 2004 (Tas) regulates the collection,
use and disclosure of personal information. The Act applies to ‘personal
information custodians’ including state government agencies, statutory boards,
local councils, the University of Tasmania and any body, organisation or person
who has entered into a personal information contract with government agencies
relating to personal information.[111]
A ‘personal information contract’ is a contract between a personal information
custodian and another person relating to the collection, use or storage of
personal information.[112]

2.63 The
10 ‘Personal Information Protection Principles’ set out in Schedule 1 of
the Act are based on the NPPs in the Privacy Act. Aspects of the Privacy
and Personal Information Protection Act 1998 (NSW) and the Information
Privacy Act 2000 (Vic) also have been incorporated into the principles.

2.64 The
Tasmanian regime is similar to legislation in other jurisdictions in that it
contains exemptions for information concerning law enforcement or that is
publicly available.[113]
The obligations in relation to ‘employee information’, however, are different
from the federal and other state and territory regimes, in that they allow job
applicants and employees to benefit from the privacy obligations imposed on
employers.[114]
A personal information custodian also may apply to the Minister for Justice for
an exemption from compliance with any or all of the provisions of the Act.[115]

2.65 Part 4
of the Act provides for complaints and investigations. Rather than establishing
a central body (such as a Privacy Commissioner) to manage complaints, the
Tasmanian Ombudsman either investigates and determines the complaint or refers
the complaint to another person, body or authority that the Ombudsman considers
appropriate in the circumstances.[116]
If, on completion of an investigation of a complaint, the Ombudsman is of the
opinion that a personal information custodian has contravened a personal
information protection principle, the Ombudsman may make any recommendations
the Ombudsman considers appropriate in relation to the subject matter of the
complaint.[117]

Charter of Health Rights and Responsibilities

2.66 The
Health Complaints Act1995 (Tas) requires the Health Complaints
Commissioner to develop a Charter of Health Rights.[118]
The Charter of Health Rights and Responsibilities was developed and
tabled in Parliament in 1999.

2.67 The
Charter applies to a wide range of health service providers and provides for
six rights, including the right to confidentiality, privacy and security.[119]
It sets out a range of rights of health service consumers including the right
of a consumer: to have his or her personal health information and any matters
of a sensitive nature kept confidential; for health service facilities to
ensure his or her privacy when receiving health care; and to expect that
information about his or her health is kept securely and cannot easily be
accessed by unauthorised persons. The Charter also provides that health service
providers have the right to discuss the health care and treatment of a consumer
with other providers for advice and support, if it is in the best interest of the
consumer’s health and wellbeing.[120]

2.68 The
Charter is administered by the Health Complaints Commissioner,[121]
who has a number of functions including to receive, assess and resolve
complaints.[122]
Complaints may be resolved by conciliation and through the use of enforceable
agreements between a complainant and health service provider.[123]
In 2006–07, the Commissioner reported the resolution of 21 privacy-related
complaints out of a total of 485 complaints resolved in that period.[124]

Australian Capital Territory

2.69 The
ACT public sector complies with an amended version of the Privacy Act.[125]
The Office of the Privacy Commissioner (OPC) administers the Act on behalf of
the ACT government.

Health Records (Privacy and Access) Act 1997 (ACT)

2.70 The
Health Records (Privacy and Access) Act 1997 (ACT) removes health
records from the jurisdiction of the OPC. The Act regulates the handling of
health records held in the public sector in the ACT and also applies to acts or
practices of the private sector. The Act contains 14 privacy principles that
have been modified to suit the requirements of health records.[126]

2.71 The
Act gives people access to their own health records or any other record to the
extent that it contains personal health information.[127]
The Act imposes obligations on both the person requesting access to a health
record[128]
and the person who responds to a request for access.[129]
The Act contains a number of exemptions to the general right of access to
health records. For example, it is a ground of ‘non-production’ if the record
or part of the record does not relate in any respect to the person requesting
it.[130]

2.72 The
ACT Human Rights Commission administers the Act.[131]
Under Part 4, a complaint may be made to the Commissioner on the following
grounds: the act or omission contravenes the privacy principles in relation to
a consumer; the act or omission is a refusal to give access in accordance with
the Act to a health record relating to a consumer; or the act or omission is a
refusal by a record keeper of a health record to give access to the health
record under the Act.

2.73 The
Human Rights Commission commenced operation on 1 November 2006. The Commission
is an independent agency established by the Human Rights Commission Act 2005
(ACT). The Commission brings together the existing functions of the ACT Human
Rights Office and the Community and Health Services Complaints Commissioner.
The Health Records (Privacy and Access) Act was previously administered
by the ACT Community and Health Services Complaints Commissioner.[132]

Human Rights Act 2004 (ACT)

2.74 Section 12
of the Human Rights Act 2004 (ACT) provides that all individuals have
the right not to have unlawful or arbitrary interferences with their privacy,
family, home or correspondence or have their reputation unlawfully attacked.
The Act also imposes a duty of consistent interpretation in respect of other
legislation. Under the Act, when a court is interpreting an ACT law it must
adopt an interpretation ‘consistent with human rights’ as far as possible.[133]

Northern Territory

Information Act 2002 (NT)

2.75 The
Northern Territory has combined its information privacy, freedom of
information, and public records laws into a single Act, the Information
Act 2002 (NT). Schedule 2 of the Act contains 10 Information Privacy
Principles.[134]
The Information Privacy Principles are based on the NPPs in the Privacy Act.[135]
The Act provides for a number of exemptions to the Information Privacy
Principles. For example, the Information Privacy Principles do not apply to
publicly available information,[136]
or to court or tribunal proceedings.[137]

2.76 The
Act also provides for approved codes of practice.[138]
A code may specify the manner in which a public sector agency is to apply or
comply with one or more of the Information Privacy Principles. A code may also
modify an Information Privacy Principle, but only in limited circumstances.[139]

2.77 Part 6
of the Act establishes the Information Commissioner for the Northern Territory.
The Information Commissioner may authorise a public sector agency to collect,
use or disclose personal information in a manner that would otherwise
contravene or be inconsistent with specified Information Privacy Principles.[140]
The Commissioner also has the power to issue a notice requiring a public sector
organisation to take specified action within a period to ensure that in the
future it complies with an IPP or code of practice.[141]

2.78 A
person may make a complaint to the Commissioner about a public sector
organisation that has collected or handled his or her personal information in a
manner that contravenes an Information Privacy Principle, a code of practice or
an authorisation; or has otherwise interfered with the person’s privacy.[142]
The Information Commissioner has the power to conduct a hearing in relation to
the complaint and make a number of orders.[143]
In 2006–07, the Information Commissioner received three privacy complaints.[144]

Code of Health and Community Rights and Responsibilities

2.79 The
Northern Territory does not have health-specific privacy legislation, although
the Code of Health and Community Rights and Responsibilities (the Code)
made under s 104(3) of the Health and Community Services Complaints Act
1998 (NT) confers a number of rights and responsibilities on all users and
providers of health and community services in the Northern Territory.[145]
The rights and responsibilities set out in the Code do not override duties set
out in Northern Territory or federal legislation.

2.80 Principle 4
of the Code relates to personal information. It provides that people have a
right to information about their health, care and treatment. They do not have,
however, an automatic right of access to their care or treatment records. Under
the Principle, health service providers may prevent health service users from
accessing their records where legislation restricts the right to access
information, or the provider has reasonable grounds to consider that access to
the information would be prejudicial to the user’s physical or mental health.
The Principle also provides that health service providers have a responsibility
to protect the confidentiality and privacy of health service users.

2.81 The
Northern Territory Health and Community Services Complaints
Commission handles complaints in relation to non-compliance with the Code.
Complaints are administered under the Health and Community Services
Complaints Act 1998 (NT). Under that Act, the Commissioner may resolve
complaints by conciliation,[146]
and may receive complaints from the Information Commissioner.[147]
The Health and Community Services Complaints Review Committee may review
decisions by the Commissioner.[148]
In 2006–07, the Commission reported that it did not receive any complaints
relating to access to records and that it received one complaint relating to
‘privacy/confidentiality’.[149]

Proposed health privacy legislation

2.82 In
March 2002, the Northern
Territory Department of Health and Community Services released a discussion
paper, Protecting the Privacy of Health Information in the Northern
Territory,[150]
which sought views on the need for the development of health-specific privacy
protection for the Northern Territory. The legislation proposed by the
discussion paper would apply to public sector organisations only, and consisted
of three main elements: the protection of the privacy of an
individual’s health information in both the public and private sectors in the
Northern Territory; the establishment of a right for individuals to access
their own health information; and the conferral of jurisdiction on the Health
and Community Services Complaints Commissioner to oversee the health privacy
regime and to handle and resolve complaints.[151]
To date, a final report has not been released.

Other relevant state and territory legislation

2.83 Personal
information is also regulated under state and territory legislation that is not
specifically concerned with the protection of personal information. Examples
include legislation that contains secrecy provisions, freedom of information
legislation, public records legislation, listening and surveillance devices
legislation and telecommunications legislation.

2.84 Legislation
in each state and territory includes provisions that place obligations on
public sector agencies and individuals in the public sector not to use or
disclose certain information. For example, s 9 of the Public Sector
Management Act1994 (WA) requires all public sector bodies to
be ‘scrupulous in the use of official information’. Other state and territory
legislation includes secrecy provisions. Often these provisions state that the
disclosure of certain information is an offence.[152]
For example, s 22 of the Health Administration Act 1982 (NSW) provides
that it is an offence to disclose information obtained in connection with the
administration of the Act, subject to a number of exceptions.

2.85 Each
state and territory has freedom of information legislation that enables the
public to obtain access to information held by that state or territory
government. The right of access to information is subject to a number of
exceptions. Documents affecting personal privacy of third parties will usually
be exempt from the access requirements under the Act or will be released only
after a consultation process.[153]
Freedom of information legislation also attempts to ensure that records held by
government concerning the personal affairs of members of the public are
complete, correct, up-to-date and not misleading.[154]

2.86 Public
records legislation in each state and territory is intended to ensure the
effective management of government records and improved record keeping. The
legislation provides for public access to records as well as setting out
restrictions on access to certain records. Some state and territory public
records legislation restricts access to records that contain personal
information.[155]

2.87 Some
privacy protection is also provided in state and territory legislation
regulating the use of listening and other surveillance devices,[156]
and telecommunications interception.[157]

2.88 Various
state and territory laws regulate the private sector. For example, s 19 of
the Introduction Agents Act 1997 (Vic) regulates the handling of
personal information by introduction agencies about their clients. State and
territory public health Acts require health service providers, including
private health service providers, to collect and record certain information
about health consumers with ‘notifiable diseases’ such as tuberculosis,
Creutzfeldt-Jakob disease and HIV/AIDS.[158]
State and territory adoption laws contain a range of provisions regulating
adoption records held by government and private adoption agencies, including
providing for retention, disclosure and access to information.[159]
State and territory laws that regulate the private sector are discussed further
in Chapter 3.

[17] The
Privacy and Personal Information Protection Act 1998 (NSW) ‘adopted with few modifications, the same principles as contained in the Federal Privacy Act’: Privacy NSW, Submission to the New South Wales Attorney General’s Department Review of the Privacy and Personal Information Protection Act 1998, 24 June 2004, 17. The Privacy and Personal Information Protection Act 1998 (NSW) was enacted before the inclusion of the NPPs in the Privacy Act.

[30] This
is a significant decrease in the number of complaints received the previous
year. In 2004–05, Privacy NSW reported that it received 111 complaints: Privacy NSW, Annual Report 2004–05 (2005), 29. Privacy NSW provides a number of reasons for the drop in complaints: the general public is becoming more aware of the internal review process and increasingly taking the internal review option rather than requesting an investigation by Privacy NSW; agencies have become increasingly familiar with the provisions of the Act; since October 2004, Privacy NSW has been unable to conduct training sessions (training activities raise the profile
of the Office and generate further enquiries and requests for advice from the
trainees); it is likely that the number of complaints made to a privacy
regulator tends to decrease or plateau a few years after the regulator begins
operation; and it is expected that some individuals did not need to contact
Privacy NSW because they had obtained the information they needed from the
Privacy NSW website: Privacy NSW, Annual Report 2005–06 (2006), 18.

[31]The Privacy and Personal Information Protection Act 1998 (NSW)applies primarily to the NSW public
sector. The NSW Privacy Commissioner has the power, however, to investigate and
conciliate privacy breaches by organisations and individuals who are not public
sector agencies:Privacy and Personal Information Protection Act 1998 (NSW) s 36(2)(k), (l). The NSW Privacy Commissioner also has functions under the Health Records and Information Privacy Act 2002 (NSW), which regulates both the public sector and private sector.

[34] See
definition of ‘private sector person’ in Privacy and Personal Information Protection Act 1998 (NSW) s 4. The Act did not commence until 25 September 2004: New South Wales Government Gazette (Health Records and Information Privacy
Act 2002), 27 August 2004, 6683.

[36] Ibid sch 1. The Health Records and Information Privacy Act 2002 (NSW) was a result of the recommendations of the Ministerial Advisory Committee on Privacy and Health Information. According to the Second Reading Speech the development of the legislation was also guided by three additional principles: obligations already imposed on service providers and health service providers by existing laws, such as the federal Privacy Act; drawing together the best elements of existing privacy legislation at a
local, national and international level (in particular the obligations imposed
under the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records Act 2001 (Vic)); and to ensure a readily accessible and usable set of principles having due regard to both individual rights and the special needs arising in the management and use of health information. Consistency with the federal Privacy Act was a particular issue: New South Wales, Parliamentary Debates, Legislative Council, 11 June 2002, 2958 (M Egan—Treasurer and Minister for State Development).

[45] The Act was assented to on 23 November 2007. The Act
commences on a day or days to be appointed by proclamation: Surveillance Devices Act 2007 (NSW) s 2. At
31 March 2008, the Act was still to be proclaimed.

[49] Ibid sch 1. ‘Some modifications to the National Principles have been made to reflect the responsibilities of public sector organisations to promote public interests and be accountable for the expenditure of public funds … In adapting the National Principles under Victorian law it is intended that as much consistency as possible can be maintained with perceptions and practice already operating nationally’: Explanatory Memorandum, Information Privacy Bill 2000 (Vic), 7.

[53] This
is a significant decrease in the number of complaints that were received in the
previous year. The OVPC reported that in 2005–06 it received 82 new complaints:
Office of the Victorian Privacy Commissioner, Annual Report 2005–06 (2006), 23. It stated that the 2005–06 complaint numbers were significantly increased by 21 complaints against a single organisation about the same subject matter: Office of the Victorian Privacy Commissioner, Annual Report 2006–07 (2007), 18.

[57] ‘The
core elements of the HPPs are consistent with the Information Privacy
Principles in Schedule 1 of the Information Privacy Act 2000.
However, the HPPs specifically address issues pertaining to health information
and the provision of health services, and adjusted to have appropriate
application to both the public and private sectors’: Explanatory Memorandum, Health Records Act 2001 (Vic), 6. The Health Records Act 2001 (Vic) was designed to operate concurrently with any relevant Commonwealth laws: Victoria, Parliamentary Debates, Legislative Assembly, 23 November 2000, 1906 (J Thwaites—Minister for Health).

[67] Surveillance
is permitted: in accordance with a warrant or emergency
authorisation or a corresponding warrant or emergency authorisation; in
accordance with a law of the Commonwealth; orif required by a
condition of a liquor licence granted under the Liquor Control Reform Act 1998 (Vic):
Surveillance Devices (Workplace Privacy) Act 2006 (Vic) s 3.

[69] The
Act, except Divisions 3 (Interpretation of Laws) and 4 (Obligations of Public
Authorities) of Part 3, commenced on 1 January 2007. Divisions 3 and 4 of
Part 3 commenced on 1 January 2008.

[70] The
Committee recognised ‘the desirability to have national consistency in privacy
protection regimes applicable to both the public and private sectors given the
increasingly blurred distinction between those two sectors’ and concluded that
‘as far as possible, there should be consistency in privacy standards required
of the Commonwealth and Queensland public sectors’: Legislative Assembly of Queensland—Legal Constitutional and Administrative Review Committee, Privacy in Queensland, Report No 9 (1998), [6.1.3].

[81]Queensland Government Health Quality and Complaints Commission, Draft
Code of Health Rights and Responsibilities (2007).
At the time of writing in April 2008, public consultation on the draft code had
concluded and the Health Quality and Complaints Commission was preparing a
final code for the presentation to the Queensland Minister for Health in 2008.

[89]Ibid s 63. The Freedom of Information
Amendment Bill 2007 (WA) proposes a number of significant amendments to the Freedom
of Information Act 1992 (WA), including: giving the State Administrative
Tribunal jurisdiction to deal with complaints on an external review under the
FOI Act, and confines the jurisdiction of the Information Commissioner on
external review to conciliating complaints; clarifying when an agency may
regard an access application as having been withdrawn, and confirming that an
agency may delete exempt matter and matter outside the ambit of an access
application before providing access to a document; and expanding the functions
of the Information Commissioner to include conducting reviews of the internal
FOI procedures of an agency.

[92] A
related Bill, the Freedom of Information Amendment Bill 2007 (WA), was
introduced on the same day. This Bill provides the Privacy and Information
Commissioner with powers to resolve FOI complaints by conciliation. At the time
of writing in April 2008, this Bill also was awaiting passage by the
Legislative Council.

[94] National Health Privacy Working Group of the Australian Health Ministers’ Advisory Council, Draft National Health Privacy Code (2003). See Part H for a discussion of the Draft National Health Privacy Code.

[103] There
have been recent calls for the introduction of privacy legislation in South Australia. See, eg, ‘Democrats Want SA Privacy Commissioner’, ABC News (online), 6 June 2007, <www.abc.net.
au/news>.

[104] South Australian Government Department of Premier and Cabinet, PC012—Information Privacy Principles Instruction (1992).

[105] Ibid, Sch. The Committee has reported that in 2006–07 it received three new complaints in addition to three existing complaints. The Committee concluded three of the six complaints: Privacy Committee of South Australia, Annual Report of the Privacy Committee of South Australia 2006–07 (2007), [3.6].

[107] South Australian Government Department of Premier and Cabinet, PC012—Information Privacy Principles Instruction (1992), sch; Privacy Committee of South Australia, Privacy Committee Members’ Handbook Version 1.1 (2005), App 1. The Committee granted three exemptions in 2006–07: Privacy Committee of South Australia, Annual Report of the Privacy Committee of South Australia 2006–07 (2007), [3.7].

[108] State
Records of South Australia, Correspondence, 13 June 2007. See also
Privacy Committee of South Australia, Annual Report of the Privacy Committee
of South Australia 2005–06 (2006), [3.4.1], [3.4.2]; Privacy Committee of South Australia, Annual Report of the Privacy Committee of South Australia 2006–07 (2007)), [3.3.1].

[109] South Australian Government Department of Health, Code of Fair Information Practice (2004), Foreword. The Information Privacy Principles are set out in Appendix B. The South Australia Department of Health considered that the NPPs, provided an ideal basis for the Code because ‘they are generally applicable to the private sector, particularly those organisations which collect, use, store or disclose “sensitive information”—much of the type of data held by the Department of Health and its service providers’. In adopting the NPPs the South Australia Department of Health was attempting to align ‘as much as possible to what looks likely to be the
model for a nationally consistent scheme for managing personal information’: South Australian Government Department of Health, Code of Fair Information Practice (2004), 6.

[110] South Australian Government Department of Health, Code of Fair Information Practice (2004), 7; Privacy Committee of South Australia, Annual Report of the Privacy Committee of South Australia 2004–05 (2005), [3.3.1]; Privacy Committee of South Australia, Annual Report of the Privacy Committee of South Australia 2006–07 (2007), [3.7].

[124] Tasmanian
Government Health Complaints Commissioner, Annual Report 2006–07 (2007),
46. The category ‘Privacy’ includes assault, breach of confidentiality,
discrimination, failure to ensure privacy, inconsiderate service and
unprofessional conduct. In 2005–06, the Commissioner reported that he resolved
38 privacy-related complaints out of a total of 663 complaints resolved in that
period: Tasmanian Government Health Complaints Commissioner, Annual Report
2005–06 (2006), 52.

[125] See
Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth). For example, the amended version provides that certain reports following the investigation of a complaint by the Privacy Commissioner are to be supplied to the ACT Attorney-General.

[132] The
ACT Human Rights Commission, Annual Report 2006–07 (2007) only records
complaints relating to health information for the period when the Community and
Health Services Complaints Commissioner was receiving complaints (from
1 July 2006 to 31 October 2006). The ACT Human Rights Commission reports
that for the period 1 July 2006 to 31 October 2006, the Community and
Health Services Complaints Commissioner received 29 complaints relating to
privacy and discrimination. Of these complaints, 26 complaints related to
access to health records. In 2005–06, the Community and Health Services
Complaints Commissioner received 25 complaints about access to health records,
and 10 complaints about disclosure of personal health information: ACT
Government Community and Health Services Complaints Commissioner, Annual
Report 2005–06 (2006), 40.

[134] The Northern Territory does not have health-specific
privacy legislation. In 1997, however, the Territory Health Services issued the
Territory Health Services Information Privacy Code of Conduct. The Code
of Conduct includes 11 principles that are based on the IPPs in the Privacy
Act. The Code covers personally identifiable health
information,data collections,staff records,and commercially
sensitive information. The
Northern Territory Department of Health and Community Services has not used the
Code of Conduct since the enactment of the Information Act 2002 (NT).

[149] Northern
Territory Government Health and Community Services Complaints Commission, Ninth
Annual Report 2006–2007 (2007), 76. In 2005–06, the Commission reported
that it did not receive any complaints relating to access to records, and that
it received two complaints relating to ‘privacy/confidentiality’: Northern
Territory Government Health and Community Services Complaints Commission, Eighth
Annual Report 2005–2006 (2006), 68.

[150] Northern Territory Government Department of Health and Community Services, Protecting the Privacy of Health Information in the Northern Territory, Discussion Paper (2002).